Recent events in the health privacy realm have demonstrated that the consequences of health data breaches are becoming increasingly severe. In late August, the U.S. Department of Health and Human Services (HHS) announced a settlement between the HHS Office of Civil Rights, the agency that enforces the Health Insurance Portability and Accountability Act (HIPAA), and Advocate Health Care Network (Advocate) under which Advocate, an entity that operates 11 hospitals and over 200 other treatment locations in Illinois, agreed to pay $5.5 million to resolve several data breaches. This amount is the most every paid by a single entity relating to HIPAA violations.
The data breaches addressed by the settlement affected the electronic protected information (ePHI) of approximately 4 million patients. Two of the breach incidents involved thefts of unencrypted laptops – the first was a theft of 4 unencrypted laptops containing personal health information from an Advocate administrative office, and the second involved someone stealing an unencrypted laptop containing the personal information of more than 2,200 individuals from an unlocked vehicle. A third component of the breach occurred when an unauthorized third party accessed the network of an Advocate business associate, potentially compromising 2000 patients’ data.
OCR’s investigation found, among other things, that Advocate failed to properly assess data risks and to reasonably safeguard laptops containing health data. Advocate’s transgressions obviously were severe, and it is not surprising that HHS insisted on recovering such a significant amount. HHS likely at the same time was attempting to send a signal that companies without effective safeguards could find themselves with substantial financial exposure even where, as was the case with Advocate, no data misuse has been discovered.
Closer to home, a Massachusetts Superior Court late last year issued a significant decision in denying a motion to dismiss relating to the data breach that occurred at Boston Medical in 2014. That breach involved confidential health data of approximately 15,000 individuals appearing on the insecure website of a medical transcription contractor. Patients whose records were exposed filed a class action lawsuit against Boston Medical and the contractor, seeking, among other things, damages for the unauthorized exposure of their medical information.
Defendants filed a motion to dismiss based upon, among other things, a failure to allege a specific injury, as the plaintiffs had not claimed that their data had been improperly accessed or used. Going against the weight of decisions in similar cases in other jurisdictions, the Court denied the motion and allowed the case to proceed to discovery. Walker and O’Rourke, et al. v. Boston Medical Center Corp., et al. No. 2015-1733-BLS 1 (Mass. Superior Court Nov. 19, 2015). The court explained that it was reasonable to infer, given Boston Medical’s letter informing patients of the breach, that the plaintiffs’ records were actually or likely to be accessed. The court held: “[p]laintiffs general allegation of injury from the data breach, inferring, as I do, that there likely was or will be access to plaintiffs’ confidential medical information by unauthorized persons, is sufficient.” Of course, plaintiffs would likely have to show more after discovery, but the decision is significant in light of its inconsistency with decisions in other jurisdictions, where plaintiffs have typically been required to show more to overcome a motion to dismiss. The prevalence of these types of lawsuits is increasing, and this decision could further encourage such efforts.
These two matters together show that it is more important than ever for health care companies to effectively secure patient data and immediately act when the possibility of a breach occurs.